Zigbee Protocol Analyzer
Posted in: ZigBee Hacking

[Top] Zigbee Protocol Analyzer: What you need to know

Learn how to build a Zigbee Protocol Analyzer using a CC2531 dongle with Texas Instruments firmware. On this tutorial I will guide through the all process

Hardware Used

HardwarePriceStore
USB cc2531 Dongle5Vendor
CC Debugger15Vendor
Hardware – ZigBee Sniffer

cc2531 usb sniffer Features

The CC2531 USB dongle is a fully functional USB device that connects a PC to IEEE802.15.4 / ZigBee applications.

It has CC2531ZNP-Prod firmware and may be used as a Zigbee packet sniffer when inserted straight into a PC, Raspberry, etc.

  • Flashed with CC2531ZNP-Prod firmware for zigbee2mqtt application
  • Lead out 8 IO connectors
  • Debug interface
  • Size: 5.6*1.6*0.7cm
  • Two buttons and two LEDs for user interaction
Zigbee Protocol Analyzer
Zigbee Protocol Analyzer

CC Debugger

The CC Debugger is a small programmer and debugger for the TI Low Power RF System-on-Chips.

It can be used together with IAR Embedded Workbench for 8051 (version 7.51A or later) for debugging and SmartRF Flash Programmer for flash programming.

[Top] Zigbee Protocol Analyzer: What you need to know
CC Debugger

The CC Debugger can also be used for controlling selected devices from SmartRF Studio.

Software Used

SoftwareVersionDownload
Debian Buster armv7l5.10.103-v7
CC-Tool
Wireshark
WHsniff1.3WHsniff Git
Texas SnifferSniffer Firmware
Software – ZigBee Sniffer

Install all dependencies

In order to all software work we need to install some dependencies, execute:

sudo apt-get install -y libusb-1.0-0-dev wireshark libboost-all-dev p7zip-full

Install CC-Tool

rfs@offensive-wireless:~/ZigBee_Sniffer $ git clone https://github.com/dashesy/cc-tool.git
rfs@offensive-wireless:~/ZigBee_Sniffer $ cd cc-tool
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./bootstrap
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ ./configure
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/cc-tool $ make
[Top] Zigbee Protocol Analyzer: What you need to know

Download Sniffer Firmware

[Top] Zigbee Protocol Analyzer: What you need to know
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer $ unzip swrc045z.zip -d firmware_extracted
[Top] Zigbee Protocol Analyzer: What you need to know
$ 7z e firmware_extracted/Setup_SmartRF_Packet_Sniffer_2.18.0.exe bin/general/firmware/sniffer_fw_cc2531.hex
[Top] Zigbee Protocol Analyzer: What you need to know
sudo <path-to>/cc-tool -e -w <path-to>/sniffer_fw_cc2531.hex

Write the Firmware into cc2531

rfs@offensive-wireless:~/ZigBee_Sniffer $ sudo ./cc-tool/cc-tool -e -w sniffer_fw_cc2531.hex
[Top] Zigbee Protocol Analyzer: What you need to know

How to Install whsniff – Zigbee sniffer software

curl -L https://github.com/homewsn/whsniff/archive/v1.3.tar.gz | tar zx
cd whsniff-1.3
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ make
[Top] Zigbee Protocol Analyzer: What you need to know
rfs@offensive-wireless:~/ZigBee_Sniffer/whsniff-1.3 $ sudo make install
[Top] Zigbee Protocol Analyzer: What you need to know

Zigbee Protocol Analyzer

sudo whsniff -c 11 | wireshark -k -i -
ssh [email protected] "whsniff -c 18" | wireshark -k -i -

Configure our ZigBee Packet Sniffer to decode

Can zigbee sniffer see ieee mac address?

Yes, any ZigBee sniffer can see ieee MAC Address.

Back to Top